Numerous techniques are known for providing secure access to protected resources. One widely-used approach involves the use of one-time passcode (OTP) devices such as hardware authentication tokens. Authentication tokens are typically implemented as small, hand-held devices that display a series of passcodes over time. A user equipped with such an authentication token reads the currently displayed passcode and enters it into a computer or other element of an authentication system as part of an authentication operation. This type of dynamic passcode arrangement offers a significant security improvement over authentication based on a static password.
Conventional authentication tokens include both time-synchronous and event-synchronous tokens.
In a typical time-synchronous token, the displayed passcodes are based on a secret value and the time of day. A verifier with access to the secret value and a time of day clock can verify that a given presented passcode is valid.
One particular example of a time-synchronous authentication token is the RSA SecurID® user authentication token, commercially available from RSA, The Security Division of EMC Corporation, of Bedford, Mass., U.S.A.
Event-synchronous tokens generate passcodes in response to a designated event, such as a user pressing a button on the token. Each time the button is pressed, a new passcode is generated based on a secret value and an event counter. A verifier with access to the secret value and the current event count can verify that a given presented passcode is valid.
Many authentication systems are configured to require that a user enter a personal identification number (PIN) or other static access code in addition to entering the passcode from the authentication token. This provides an additional security factor, based on something the user knows, thereby protecting against unauthorized use of an authentication token that is lost or stolen. Such an arrangement is generally referred to as two-factor authentication, in that authentication is based on something the user has (e.g., the authentication token) as well as something the user knows (e.g., the PIN).
Although two-factor authentication based on token passcodes can provide adequate security in many applications, a need remains for further improvements. For example, even in strongly-defended systems, security breaches are becoming more common due to the increasing sophistication of advanced persistent threats (APTs). APTs are usually mounted by well-funded attackers with very specific targets.